[Subject Prev][Subject Next][Thread Prev][Thread Next][Subject Index][Thread Index]


[Switch to GnuPG fast! -- Raju]

This is an RFC 1153 digest.
(1 message)

Approved-By: aleph1@xxxxxxxxxxxxxxxxx
Delivered-To: bugtraq@xxxxxxxxxxxxxxxxxxxxxxx
Received: from securityfocus.com (mail.securityfocus.com []) by
          lists.securityfocus.com (Postfix) with SMTP id 181431EFB5 for
          <bugtraq@xxxxxxxxxxxxxxxxxxxxxxx>; Thu, 24 Aug 2000 07:28:48 -0700
Received: (qmail 25376 invoked by alias); 24 Aug 2000 14:29:52 -0000
Delivered-To: BUGTRAQ@xxxxxxxxxxxxxxxxx
Received: (qmail 25373 invoked from network); 24 Aug 2000 14:29:51 -0000
Received: from setec.org ( by mail.securityfocus.com with SMTP;
          24 Aug 2000 14:29:51 -0000
Received: (from phosgene@localhost) by setec.org (8.8.8/8.8.8) id KAA29948;
          Thu, 24 Aug 2000 10:28:52 -0400 (EDT)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID:  <Pine.NEB.4.10.10008241020110.29902-100000@xxxxxxxxx>
Reply-To: Phosgene <phosgene@xxxxxxxxx>
In-Reply-To:  <20000823211011.G24198@xxxxxxxxxxxxxxxx>
From: Phosgene <phosgene@xxxxxxxxx>
Sender: Bugtraq List <BUGTRAQ@xxxxxxxxxxxxxxxxx>
To: BUGTRAQ@xxxxxxxxxxxxxxxxx
Subject:      SERIOUS PGP BUG!
Date:         Thu, 24 Aug 2000 10:28:51 -0400

In case you have not heard there is a serious bug in some versions of PGP
related to additonal decryption keys (ADK).
For more information look at John Young's site which details some of this:

Quoting from an email on the site:

"Tested versions of PGP:
PGP-2.6.3ia UNIX   (not vulnerable - doesn't support V4 signatures)
PGP-5.0i UNIX      (not vulnerable)
GnuPG-1.0.1 UNIX   (not vulnerable)"

A paper detailing an aspect of the vulnerability is written by Ralf
Senderek: http://senderek.de/security/key-experiments.html and his student
Stephen Early <Stephen.Early@xxxxxxxxxxxx> seems to have worked on
detailing this vulnerability as well on the ukcrypto mailing list.



End of this Digest